Skip to content
Bandit

feat: adding code and setup repository workflows #2

Sign in to view logs

feat: adding code and setup repository workflows

feat: adding code and setup repository workflows #2

Workflow file for this run

.github/workflows/bandit.yml at fc6bfeb
name: Bandit
on:
workflow_dispatch: { }
pull_request:
branches:
- develop
jobs:
analyze:
runs-on: 'ubuntu-latest'
permissions:
security-events: write
actions: read
contents: read
steps:
- name: Set up Python 3.9
uses: actions/setup-python@v5
with:
python-version: 3.9
- name: Install Bandit
shell: bash
run: pip install bandit[sarif]
- name: Checkout repository
uses: actions/checkout@v4
with:
token: ${{ secrets.RELEASE_TOKEN }}
- name: Run Bandit - Check for HIGH severity issues
id: high_severity_check
shell: bash
run: |
# Run bandit focusing on high severity issues and capture the exit code
bandit . -r -c ipas_default.config --severity-level high || echo "high_severity_issues=true" >> $GITHUB_OUTPUT
# Check the result directly from the metrics
if ! bandit . -r -f json | grep -q '"SEVERITY.HIGH": [1-9]'; then
echo "No HIGH severity issues found!"
else
echo "HIGH severity issues found! Workflow will fail after reporting."
echo "high_severity_issues=true" >> $GITHUB_OUTPUT
fi
- name: Run Bandit - Generate full report
shell: bash
run: bandit . -c ipas_default.config -r -f sarif -o results.sarif || true
- name: Upload SARIF results
uses: actions/upload-artifact@v4
with:
name: bandit-results
path: results.sarif
- name: Upload SARIF to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: results.sarif
category: bandit
- name: Fail workflow if HIGH severity issues were found
if: steps.high_severity_check.outputs.high_severity_issues == 'true'
shell: bash
run: |
echo "ERROR: HIGH severity security issues were found by Bandit."
echo "Review the security report and fix all HIGH severity issues before merging."
exit 1